We are considering nessus as an option. When we make our final decision I will make it a point to send a notification message to full disclosure.
On Wed, 2003-01-29 at 11:48, Georgi Guninski wrote: > Personally don't care whether you release exploits or not. > > But will you use nessus and such? > Because someone filled the nessus db imho. > > Georgi Guninski > http://www.guninski.com > > Strategic Reconnaissance Team wrote: > > All, > > > > I have been following the subject of full disclosure for a while, and as > > most of you know, have dealt with some of the issues that full > > disclosure can cause (HP/Secure Network Operations/DMCA). While the > > idea of full disclosure is a good idea, and while we support it, we feel > > that the exploit source code should not be released to everyone. > > > > It is possible to prove a vulnerability exists by releasing well written > > advisories. Because of this fact, proof of concept code (exploit > > source) is not a requirement for the education of the possibly > > vulnerable. Releasing non-malicious exploit code is also not an option > > as any local script bunny/kiddie can easily render it functional. > > > > Proof of concept code is useful for legitimate contract based > > penetration tests. It is also useful for study as it demonstrates > > fundamental flaws computers today (not built in security). But again, > > proof of concept code is not for everyone. > > > > I am interested in hearing the opinions of the people on this list. If > > you are for exploit source disclosure, I would like to hear arguments > > supported by facts, that explain why. I am equally interested in > > reasons why not to disclose information. > > > > With that said, Secure Network Operations, Inc. will no longer be > > releasing functional proof of concept code. We may release sufficiently > > detailed advisories. > > > > -- Strategic Reconnaissance Team <[EMAIL PROTECTED]> Secure Network Operations, Inc.
signature.asc
Description: This is a digitally signed message part
